Many small businesses accept payments through Square. For a small fee on each transaction, Square can turn a smartphone or iPad into a payment station. But scammers are taking advantage of the service’s popularity by sending phishing emails that appear to be official correspondence.
How the Scam Works:
You get an email that appears to be from Square. There are several different versions, but they all use the Square logo and seem legitimate. In one common version, the message claims that you accepted a payment and provides credit card details. In another, a client has allegedly requested a refund and funds are being removed from your account. Both messages urge you to click a link and “View Full Payment/Refund Details” or “Deposit Now.”
Whatever you do, don’t click the links. They can download malware to your computer that can acquire your usernames, passwords and even sensitive personal information, such as your credit card number.
How to Avoid this Scam:
· Verify the Secure Square URL. Many phishing scams direct you to a non-secure site and then prompt you to enter your login and password or other personal details. Always double check that you are on the official Square website and that you have a secure connection before you login. How can you tell? Your browser should say “https://squareup.com/login” and the locked Square, Inc. icon should populate next to this web address.
· Be on the lookout for red flags. Typos and grammatical errors, as well as unfamiliar email addresses and scare tactics are all signs of a phishing scam.
· Protect your personal information. Never share your credit card numbers, Social Security number or even address and phone number with a stranger, especially if they have contacted you unsolicited.
For More Information:
BBB and the Federal Trade Commission will be announcing a new initiative to combat scams aimed at small businesses. Check BBB.org/SmallBusiness on Monday, June 18th for additional information.
To find out more about how phishing scams work and how to avoid them, at BBB.org/phishingscam.